From Gentoo Wiki
< User:JM01085758(Redirected from Kernel Lockdown)
Jump to:navigation Jump to:search
Warning, this page is a work in progress by JM01085758 (talk | contribs). Treat its contents with caution.

Since kernel version 5.4,[1] support has been added for integrity and confidentiality lockdown modes. Lockdown is a Linux Security Module (LSM) which expands the traditional LSM focus on control once userspace is active to having an LSM enabled very early in the boot sequence, even before kmalloc() can request memory.[2] Integrity mode disables features that allow userspace to modify the running kernel. Confidentiality mode does the same but goes further, also preventing extraction of confidential information.[3] Enabling either will prevent the loading of unsigned kernel modules as well as unencrypted hibernation or suspend to swap.[4] By default in Gentoo, neither mode is enabled, but on EFI x86 or arm64 with other distributions, lockdown may be automatically enabled when Secure Boot is enabled.[4]


The motivation for implementing this feature was "to enforce a distinction between running as root and the ability to run code in kernel mode".[5] To quote Matthew Garrett, "if you can run arbitrary code in the kernel then you can use the kernel to boot anything you want",[6] defeating the point of UEFI Secure Boot. Work on the lockdown LSM began in the early 2010s.[7]


KERNEL menuconfig
Security options  ---> 
    [*] Basic module for enforcing kernel lockdown
    [*]   Enable lockdown LSM early in init
          Kernel default lockdown mode (Integrity)  --->


Lockdown modes can also be enabled via GRUB: GRUB_CMDLINE_LINUX="lockdown=integrity".[3]


Enabling one of the lockdown modes will affect one's ability to modify and/or read from the following:

A more extensive list can be seen here.[4]


Kernels prior to 5.19 contain a trivial bypass bug, CVE-2022-21505.[9][10]

CVE-2022-21499, patched in May 2022.[11]

See also

External resources